Kaminsky: DNS flaw capable of attacks on many fronts

By Robert Westervelt, News Editor 06 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

There's a reason why so many people had so many things to speculate about, because there's a ton of different paths that lead to doom. Dan Kaminsky, director of penetration testing, IOActive

LAS VEGAS -- Speaking to more than 1,000 security professionals at the Black Hat briefings, Dan Kaminsky outlined more than a dozen ways the DNS cache poisoning flaw could be used to cause widespread damage on internal and external servers.

Kaminsky's presentation Wednesday marked the first time the full details of the vulnerability were revealed since it was publicly disclosed July 8 in a massive coordinated patch release by multiple DNS vendors.

Kaminsky, director of penetration testing at IOActive Inc., said the vulnerability enables attackers to move beyond standard server or browser attacks and into attacks on applications that pull data from the Web -- making a DNS request -- without using a browser. Email, Voice over Internet Protocol (VoIP) and analytical applications are vulnerable to the poisoning attack. Authentication servers, back-end databases and even service-oriented architectures (SOA) are at risk since they are directed by DNS, even though they may be behind a firewall.

Black Hat 2008 Visit our extensive news coverage of Black Hat 2008. Exclusive photos of Black Hat 2008. Mozilla to release Firefox threat-modeling data: The Mozilla Foundation's security chief says it will soon publicly release threat-modeling data for the next version of the Firefox Web browser. Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time. Hoffman to demonstrate new hacking techniques Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis.

"There's a reason why so many people had so many things to speculate about, because there's a ton of different paths that lead to doom," Kaminsky said.

IT administrators had a good reason to deploy patches quickly, Kaminsky said. An attack can be carried out in seconds by flooding the DNS server with requests until a legitimate answer is received. The technique also involves redirecting the name server to an IP address set up by the attacker, and the use of bailiwick checking to dupe the server into believing the queried domain is legit.

The good news is that 70% of Fortune 500 email servers have been patched, as well as 61% of other servers. Still, more work needs to be done, he said. The vulnerability exposed the degree to which security best practices have been ignored, Kaminsky said. Even if a patch is fully deployed, there are other ways unencrypted IP traffic can be sniffed by an attacker, he said.

"DNS should not have been capable of this much damage," Kaminsky said. "Why was such a stupid simple bug capable of breaking this many things?"

Other attack scenarios make website verification and application updates vulnerable. Kaminsky highlighted the threat to SSL certificates, which are dependent on DNS. He called the certificate system poorly managed and mostly ignored by end users. With an exception to Microsoft updates, many vendor updates are dependent on DNS for verification, he said.

SearchSecurity radio:

Microsoft, Cisco Systems Inc., Internet Systems Consortium Berkeley Internet Name Domain (ISC BIND) and other vendors met at a secret summit in March to figure out how to repair the issue. Ultimately, the vendors agreed to issue a critical design patch that implements port randomization to correct the problem. Instead of randomizing on a transaction ID field of 16 bits, it now randomizes using 27-30 bits, greatly reducing the odds of someone successfully carrying out an attack, Kaminsky said. The session proved that vendors can cooperate despite competition and have a productive result, he said.

"We had a choice back at our summit in March," Kaminsky said. "We could either do point fixes or we could drop the sledge hammer and finally raise the odds from one out of 65,000 to one out of hundreds of millions."

Behind the scenes, DNS vendors and security experts are still racing to come up with a more permanent fix.

Rodney Joffe, senior vice president and senior technologist at NeuStar, a DNS vendor. Joffe sits on the Security and Stability Committee of the Internet Corporation for Assigned Names and Numbers (ICANN), and has worked on DNS security issues for years at ICANN meetings. He said it has been clear behind the scenes of how challenging it is to solve the DNS cache poisoning flaw. Although the current patch solves the problem temporarily, vendors need to push for a more permanent fix, he said.

Joffe is advocating for DNSSEC, a 12-year-old protocol that allows for the trusted signing of DNS answers.

"Over coming months and days it's going to drop down to hours and seconds again for attackers to pull off a successful exploit as they get more bandwidth available," Joffe said. "It's going to be race between getting DNSSEC deployed and getting machines and more bandwidth."

Tags: Web Server Threats and Countermeasures,  Emerging Information Security Threats,  Web Application Security,  Web Services Security and SOA Security,  Web Browser Security,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Server Threats and Countermeasures Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security How to harden Linux operating systems How to clear out anonymous Web proxy servers in the workplace Information security book excerpts and reviews Is it more secure to have a mainframe or a collection of servers? How does a Web server model differ from an application server model? Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary